Email

From MTULUG
Revision as of 13:57, 7 April 2022 by Sjwhitak (talk | contribs) (→‎Logging)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to:navigation Jump to:search

This is honestly an academic exercise because almost everyone uses Google's IMAP servers or other big ones, and anyone who doesn't are probably spammers. So, you have to try really, really hard and put a lot of settings up to not act like a spammer. A spammer can do these exact same things, too, which means you'll need to try really hard to gain reputation and manually remove yourself from blacklists until you've put in so much effort that people have to assume you aren't a spammer. Then, if you get compromised and a spammer gains access to your mail server, you have to go through all of this all over again!

Own server

Follow this: https://gist.github.com/howyay/57982e6ba9eedd3a5662c518f1b985c7 to install dovecot and postfix. It's straightforward, but the DNS records may be a little confusing.

You need:

  1. A domain name (purchased by namecheap, whois, godaddy, etc)
  2. A server with Linux (Your own server, or purchase a VPS from linode, hostwinds, AWS, etc)

If your domain's example.com and your server's IP is 141.219.188.20, then point that domain to your server using your DNS records. This tutorial is a bit confusing with the DNS records, so I'm just going to step through this in more fidelity.

  • A records
    • Name: example.com, IP: 141.219.188.20
    • Name: mail.example.com, IP: 141.219.188.20
  • MX records
    • Name: mail.example.com, IP: 141.219.188.20, Priority 0
  • TXT records
    • Name: example.com, Value: v=spf1 ip4:141.219.188.20 -all
    • Name: default._domainkey.example.com, Value: v=DKIM1; h=sha256; k=rsa; p=<your generated public key>
    • Name: _dmarc.example.com, Value: v=DMARC1;p=quarantine;

These DNS records are required to prevent spammers from spoofing your email. It's quite simple to spoof your email, simply set the "From" header to whatever you want, and so you could just use From: steven@example.com to a bunch of people. The spf1 DNS record says that if an email sent outside of the IP 141.219.188.20, then they'll assume someone else was trying to spoof your email. With no spf1 record, there's no way to know if this email is spoofed or not, so your domain will not be trustworthy. If someone actually does try to use your email, it'll be quarantined following your DMARC1 value. Finally, if someone spoofs your IP somehow, they will also require your private key to compare with your DKIM1 public key shown in the third TXT record.

Finally, you'll need to set your rDNS record on your server yourself. I don't know how to do this on a server you own, but if you're using a VPS, you set this rDNS value on your server, not the domain. rDNS is a lookup parameter so someone requesting your IP (dig -x 141.219.188.20), it'll respond with the mail server domain name.

Differences

The only trouble I had was working with PAM, and I think the configuration is wrong in 0x06 Setup Dovecot IMAP server, I could only get it to work with:

passdb {
    args = failure_show_msg=yes
    driver = pam
}

I don't really know why it worked. There might have been some issues where creating your user with PAM needed some reboots. In fact, I very much distrust this set up because I only modified this parameter so I could debug the issue, but it instead fixed it all. Who knows.

Logging

If you follow all these settings, you'll miss out on logging for everything, which will suck if something's not working. In /etc/dovecot/dovecot.conf add this line:

!include conf.d/10-logging.conf

Then add some verbosities into this /etc/dovecot/conf.d/10-logging.conf file,

log_path = /var/log/dovecot.log
auth_verbose = yes
auth_debug = yes
auth_debug_passwords = yes
mail_debug = yes
verbose_ssl = yes

These 5 parameters are all the ones I found to get the most logging possible. Once you got it working, you can drop the logging lines to keep everything clean.

For postfix, you need to run these commands in your shell:

root #postfix stop
root #postconf maillog_file=/var/log/postfix.log
root #postfix start

Ports

The IMAP server (dovecot) uses port 143 for STARTTLS.

The IMAP server (dovecot) uses port 993 for SSL/TLS.

This configuration uses "Normal password" for the authentication method since Dovecot uses PAM as the login.

The SMTP server (postfix) uses port 587 for STARTTLS.

The SMTP server (postfix) uses port 465 for SSL/TLS.

I was only able to get SSL/TLS working for the IMAP server. The SMTP server needed to use STARTTLS.

Spam

Spam is a big issue with email and it's "fixed" by blocking literally everything (Google's policy) if the IP isn't positively trustworthy. If it's slightly trustworthy, the email is simply sent directly to spam rather than being completely blocked.

To get around this (and if you know an easy way, let me know, sjwhitak is my email, please and thank you), go to https://mxtoolbox.com/blacklists.aspx and search your IP. For every list that has you blacklisted, you'll need to go to each of their websites and manually request that you be removed. Some times it takes weeks, some times only a few days (one list immediately took me off their list, which is a bit surprising to me and makes me not want to trust their spam list). This still does not guarantee you'll get past Google's email death wall, but you'll eventually be able to get past it. Internet searches for Gmail 550-5.7.1 will show a lot of angry people at Google and their "improved" AI-system is blocking a lot of people.

If someone is more knowledgeable in this field, add to this. I'm not. I'm barely getting my email afloat and I can at least email disroot with this setup, but gmail outright fails completely, having a spammer use my IP 3 years ago.